httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jesse B. Crawford" <jean...@nmt.edu>
Subject [users@httpd] best practice: suexec with PHP5 in a many-user/non-technical-user environment
Date Tue, 25 Oct 2011 21:07:21 GMT
Hello,
We're a small university (think 3000 users) with an NFS/Kerberos/LDAP
network environment. I'm currently preparing for a much needed complete
overhaul of our main webserver, which hosts the user's webpages using a
standard userdir configuration (the webserver has all home directories
mounted). The old configuration ran Apache as the www-data user for all
purposes, but this simply isn't secure now when we have users running
WordPress etc. out of their account, so that Apache (and thus everyone
else) must be able to read their MySQL credentials.

I would thus like to use suexec in the new configuration so that users
can own and secure their files. Here's the trouble: From the
documentation I have read (and it is quite possible I'm missing
something), suexec can only call binaries within the userdir, not
somewhere on the rest of the system. This makes PHP difficult since
php-cgi must be called. Everywhere I have looked this problem has been
solved by placing a shell script in the user's public_html. Apache runs
the script, and the script runs php-cgi.

I don't like this solution, though, because it requires that all users
have a "magic shell script" in their public_html. Many of our users (as
I think anyone at a university has experienced) have little to no
understanding of a linux environment and won't understand the script,
thus either creating it incorrectly or (if we place it automatically)
removing it accidentally. Sure, we could write tools to correct this
automatically, but it simply seems like there must be a better way to do
this.

Is there not any way that /usr/bin/php-cgi can be added to some sort of
white list that suexec is allowed to call? I think one potential
solution is to run suphp alongside suexec, but it seems like it should
be simple to do all this with suexec and fcgid as I plan to use for
python/perl. What would you recommend as the best practice for this kind
of setup?

Thanks!

-- 
Jesse B. Crawford (jeanluc)
Systems Programmer
Tech Computer Center
New Mexico Inst. of Mining & Tech.

jeanluc@nmt.edu // http://nmt.edu/~jeanluc


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message